Auditing and Hardening Unix Systems Using CIS benchmarks on SUSE Linux

Transcription

1 Auditing and Hardening Unix Systems Using CIS benchmarks on SUSE Linux

2 André Carrington, P.Eng, CISSP, CISM Unix experience: 13 years SunOS; NeXTSTEP; Sun Interactive; Wyse Unix; BSD; Solaris; QNX; HP-UX; Mandrake Linux; RedHat Linux; SUSE Linux; AIX As a user, developer, system administrator, webmaster, security specialist, security architect Professional IT experience: 13 years Recent: A Large Telco, Center for Internet Security (CIS), a commercial bank, etc. Also passed the CISA exam

3 What is hardening? Applying security controls to information systems to make them hard to exploit for unauthorized purposes. Preventing the candy-bar phenomenon: hard and crunchy on the outside, but soft and chewy on the inside.

4 What should be hardened? That is a risk-based decision. Any information system component can be compromised, so hardening guidelines and standards exist for: Servers Databases Workstations Routers Wireless access points Web server software server software

5 Assertions about hardening Hardening is: Effective Necessary to perform due diligence Measurable Detailed/skilled work that can be automated!

6 Hardening is effective According to the Center for Internet Security (CIS): The vast majority of cyber attacks exploit known vulnerabilities for which a patch or security configuration control is available. Solution: % of known vulnerabilities are blocked by implementing the CIS consensus benchmark configuration controls and applying available patches. (based on studies by NSA, MITRE and Solutionary)

7 We ll come back to the other assertions

8 How do you harden a Unix system? Protect the system during setup Setup from scratch (or scan/review) Backup configuration files Apply patches Turn on system accounting/logging Turn off unneeded services Use secure services Tune file/directory permissions Tune system administration accounts Tune kernel parameters

9 E.g. Use secure services: SSH Configure and use SSH A tunnel that is encrypted and mutually authenticated that allows: SSH v2 instead of telnet SFTP, SCP instead of FTP, TFTP, rcp, rdist X-Windows in a secure manner Servers are authenticated with public keys stored on the client Clients are authenticated with public keys or passwords

10 SSH configuration script cp sshd_config sshd_config.tmp awk '/^#? *Protocol/ { print "Protocol 2"; next }; /^#? *X11Forwarding/ \ { print "X11Forwarding yes"; next }; /^#? *IgnoreRhosts/ \ { print "IgnoreRhosts yes"; next }; /^#? *HostbasedAuthentication/ \ { print "HostbasedAuthentication no"; next }; /^#? *PermitRootLogin/ \ { print "PermitRootLogin no"; next }; /^#? *PermitEmptyPasswords/ \ { print "PermitEmptyPasswords no"; next }; /^#? *Banner/ \ { print "Banner /etc/issue.net"; next }; {print}' sshd_config.tmp > sshd_config rm sshd_config.tmp

11 E.g. Tune file/directory permissions Review permissions & requirements: passwd, shadow, group User home directories & dot files World-writable files World-writable directories sticky bit Set-UID and set-gid files Nosuid option re: mounted file systems Unowned files

12 Set-UID/GID files Find them: for PART in `awk '($6!= "0") { print $2 }' /etc/fstab`; do find $PART \( -perm o -perm \) \ -type f -xdev print done Compare them to a baseline (e.g. expected system files per a brand new installation also included with some tools) Watch for changes with a file integrity checker (and watch for new ones with a cron job)

13 E.g. Tune kernel parameters cat <<END_SCRIPT >> /etc/sysctl.conf # Following 11 lines added by CISecurity Benchmark sec 4.1 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_syncookies=1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 END_SCRIPT chown root:root /etc/sysctl.conf chmod 0600 /etc/sysctl.conf cat <<END_SCRIPT >> /etc/sysctl.conf # Following 3 lines added by CISecurity Benchmark sec 4.2 net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 END_SCRIPT chown root:root /etc/sysctl.conf chmod 0600 /etc/sysctl.conf

14 That seems like a lot of work!

15 How to make it easier Some vendors/resellers have images Dell, Oracle For your own installation images: Assemble scripts & baselines from standards like the CIS benchmarks Use the 80/20 rule select controls based on overall priorities/risks

16 Some issues may arise. Some application functions may not work right away Sometimes this identifies non-secure practices in vendor products Consider your options and resolve the conflict as needed Use standards that differentiate between: Actions that generally won t break functions Actions that may

17 Standards Organizations Center for Internet Security NIST (including DISA) NSA ISF Vendors also provide hardening guidelines

18 The Center for Internet Security (CIS) Modeled after other community initiatives, e.g., transportation safety A not-for-profit consortium of users Focused on the common needs of the global Internet community Convenes and facilitates consensus teams that develop detailed operational best practices

19 The CIS consensus process Teams are formed with security experts from CIS public and private sector member organizations I ve worked on teams with DISA, DOE, NIST, Cisco, Jay Beale, etc. An initial benchmark draft is obtained or developed Consensus is established via conference call discussion & Note: Benchmarks & scoring tools are made available free to all users globally via the CIS website

20 How do I audit my system?

21 The technical part of the audit can be automated. Free scoring tools CIS scoring tools are free for individual use within VA Scanners are focused on vulnerabilities in network services Address local users; prevent candy bars Assists with intrusion detection Other platforms: Cisco RAT; MBSA Commercial enterprise management tools There are many: ISS, Computer Associates, etc. Some can score against published standards

22 The old CIS scoring tool was textbased (default installation sample). *** CIS Ruler Run *** Starting at time :58:57 Positive: 1.1 System appears to have been patched within the last month. Negative: 1.2 sshd_config parameter Protocol is not set. Negative: 8.10 Current umask setting in file /etc/profile is it should be stronger to block group-read/write/execute. Negative: 8.10 Current umask setting in file /etc/csh.login is it should be stronger to block world-read/write/execute. Negative: 8.10 Current umask setting in file /etc/csh.cshrc is it should be stronger to block group-read/write/execute. Negative: 8.11 Coredumps aren't deactivated. Preliminary rating given at time: Mon Oct 1 19:58: Preliminary rating = 5.85 / Positive: 6.6 No non-standard world-writable files. Positive: 6.7 No non-standard SUID/SGID programs found. Ending run at time: Mon Oct 1 19:58: Final rating = 6.15 / 10.00

23 The new scoring tool is in development (Windows sample)

24 The Audit process Policy Processes Configuration Activity

25 Audit Policy Processes Deployment Administration Monitoring Configuration Activity

26 Audit Policy Processes Deployment Administration Change Management Patch Management Backup and Recovery Monitoring Configuration Activity

27 Audit Policy Processes Deployment Administration Monitoring Vulnerability Assessment Log Review & HIDS Compliance Review Configuration Activity

28 Audit Policy Processes Configuration Scoring tools Hardening scripts Activity

29 Audit Policy Processes Configuration Activity User Login Attempts File changes Root shell commands Errors

30 How audit fits into the lifecycle Audit Standardize Harden Monitor

31 The management view of it Audit Standardize Harden Monitor Risk of policy & practice; corrective action Set/negotiate/review standards Assist Raise awareness; require training

32 In conclusion I have addressed the assertions that hardening is: Effective Necessary to perform due diligence Measurable Detailed/skilled work that can be automated!

33 Thank-you for your time. André Carrington, P.Eng, CISSP, CISM